Splunk Search

Concatenate field and count to display label in pie chart

philallen1
Path Finder

Hi

This is my query:

Username="*"   | top limit=10000 Username

This gives me a table with many rows, where the first row looks like this:

Username               count    percent
Vivek Lamba (lambav)   607      10.483592

I then view this data using a Pie Chart in my Dashboard.

Currently the labels on the pie chart only display the Username. How can I change my query so that the labels display:
"Username - count"
(i.e. "Vivek Lamba (lambav) - 607")

I've tried adding in an eval command like so:

Username="*"   |  eval UserPlusCount = Username + "-" + count | top limit=10000 UserPlusCount

...but I get 'No results found"

What am I doing wrong?

Thanks

0 Karma

gun1989
New Member

Hi Can we add a dynamic result to a header ?

0 Karma

gfuente
Motivator

Hello

try this:

...|  eval UserPlusCount = Username. "-". count |...

If it doesnt works, rename the count as other field

Regards

philallen1
Path Finder

Sorry I'm new to Splunk. How would the full query look? When I remove the 'top' piece of the query it breaks altogether. What should I replace it with?

Username="*" | stats count as Username by myfield | eval UserPlusCount = Username. "-". myfield | ...(i.e. what should go here)...

Thanks

0 Karma

gfuente
Motivator

try:

Instead of top, use: ... | stats count as myfield by Username | eval UserPlusCount = Username. "-". myfield |...

EDIT: Now I noticed, you have to do the eval after the top command, then you have the count field, and you can use it in the eval.

0 Karma

philallen1
Path Finder

I just tried:

Username="*" | eval UserPlusCount = Username. "-". Username| top limit=10000 UserPlusCount

And that did bring back data in a table like so:

Vivek Lamba (lambav) - Vivek Lamba (lambav) 607 10.483592

However, when I change "Username" to "count" it doesn't work at all! Any ideas?

0 Karma

philallen1
Path Finder

Hi gfuente - thanks for you're unbelievably quick reply.

I tried this:
Username="*" | eval UserPlusCount = Username. "-". count | top limit=10000 UserPlusCount
as you suggested and it didn't work. "No results found"

What do you mean by:
"rename the count as other field"?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...